summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ca.conf3
-rwxr-xr-xsign-ca.in26
2 files changed, 19 insertions, 10 deletions
diff --git a/ca.conf b/ca.conf
index ab2eac4..52b05a9 100644
--- a/ca.conf
+++ b/ca.conf
@@ -4,6 +4,9 @@
ca_name='eckner-ca'
ca_subject_prefix='/C=DE/ST=Thuringia/L=Jena/O=Eckner/OU=Net'
+# which system user owns the ca
+ca_user='erich'
+
# where should the ca certificates be published?
remote_host='user@example.com'
remote_dir='httpdocs/certs'
diff --git a/sign-ca.in b/sign-ca.in
index ff0e0c5..cae09f2 100755
--- a/sign-ca.in
+++ b/sign-ca.in
@@ -10,14 +10,19 @@ if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
. '#ETCDIR#/simple-pki/ca.conf'
fi
+if [ -n "${ca_user}" ] \
+&& [ "$(whoami)" != "${ca_user}" ]; then
+ exec su "${ca_user}" -c "$0"
+fi
+
if [ -f "${key_dir}/${ca_name}.key.new" ] \
&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then
if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \
|| [ ! -f "${key_dir}/${ca_name}.key" ] \
|| [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \
|| [ ! -f "${key_dir}/${ca_name}.crt" ]; then
- mv "${key_dir}/${host_key_file}.key"{.new,}
- mv "${key_dir}/${host_key_file}.crt"{.new,}
+ mv "${key_dir}/${ca_name}.key"{.new,}
+ mv "${key_dir}/${ca_name}.crt"{.new,}
fi
fi
@@ -33,7 +38,7 @@ if [ ! -f "${key_dir}/${ca_name}.key.new" ] \
-addext 'authorityKeyIdentifier = keyid:always, issuer' \
-addext 'basicConstraints = critical, CA:true' \
-addext 'keyUsage = keyCertSign, cRLSign'
-done
+fi
rsync --ignore-missing-args \
"${key_dir}/${ca_name}.crt"{.new,} \
@@ -41,13 +46,14 @@ rsync --ignore-missing-args \
(
cd "${key_dir}"
- printf '%s %s\n' "$(
- date -u --iso-8601=seconds -d@$(stat -c%Y "${ca_name}.key") \
- | cut -d+ -f1
- )" "$(
- sha512sum "${ca_name}.key" \
- | sed 's/\s\+/ /'
- )"
+ find . -maxdepth 1 \
+ -type f \( -name "${ca_name}"'.crt' -o -name "${ca_name}"'.crt.new' \) \
+ -printf '%TY-%Tm-%TdT%TT ' \
+ -exec sha512sum {} \; \
+ | sed '
+ s/\.[0-9]\+ / /
+ s@\s\s\+\(\S\+/\)\?@ @
+ '
) \
| ssh "${remote_host}" '
cd "'"${remote_dir}"'"